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We present a symbolic transition system and bisimulation equivalence for psi-calculi, and show that 
it is fully abstract with respect to bisimulation congruence in the non-symbolic semantics. 

A psi-calculus is an extension of the pi-calculus with nominal data types for data structures and 
for logical assertions representing facts about data. These can be transmitted between processes and 
their names can be statically scoped using the standard pi-calculus mechanism to allow for scope 
migrations. Psi-calculi can be more general than other proposed extensions of the pi-calculus such as 
the applied pi-calculus, the spi-calculus, the fusion calculus, or the concurrent constraint pi-calculus. 

Symbolic semantics are necessary for an efficient implementation of the calculus in automated 
tools exploring state spaces, and the full abstraction property means the semantics of a process does 
not change from the original. 

1 Introduction 

A multitude of extensions of the pi-calculus have been defined, allowing higher-level data structures and 
operations on them to be used as primitives when modelling applications. Ranging from integers, lists, 
or booleans to encryption/decryption or hash functions, the extensions increase the applicability of the 
basic calculus. In order to implement automated tools for analysis and verification using state space 
exploration (e.g. bisimilarity or model checking), each extended calculus needs a symbolic semantics, 
where the state space of agents is reduced to a manageable size - the non-symbolic semantics typically 
generates infinite state spaces even for very simple agents. 

The extensions thus require added efforts both in developing the theory of the calculus for each 
variant, and in constructing specialised symbolic semantics for them. As the complexity of the extensions 
increases, producing correct results in these areas can be very hard. For example the labelled semantics of 
applied pi-calculus [2] and of CC-Pi [14] have both turned out to be non-compositional; another example 
is the rather complex bisimulations which have been developed for the spi-calculus |3] (see [12] for an 
overview of non-symbolic bisimulations, or ifTTl [T3l [TUl for symbolic ones). 

The psi-calculi [5] improve the situation: a single framework allows a range of specialised calculi 
to be formulated with a lean and compositional labelled semantics: with the parameters appropriately 
instantiated, the resulting calculus can be used to model applications such as cryptographic protocols and 
concurrent constraints, but also more advanced scenarios with polyadic synchronization or higher-order 
data and logics. The expressiveness and modelling convenience of psi-calculi exceeds that of earlier 
pi-calculus extensions, while the purity of the semantics is on par with the original pi-calculus. Its meta- 
theory has been proved mechanically using the theorem prover Isabelle 0. 

In this paper we develop a symbolic semantics for psi-calculi, admitting large parts of this range of 
calculi to be verified more efficiently. We define a symbolic version of labelled bisimulation equivalence, 
and show that it is fully abstract with respect to bisimulation congruence in the original semantics. This 
means that our new symbolic semantics does not change which processes are considered equivalent. 

A symbolic semantics abstracts the values received in an input action. Instead of a possibly infinite 
branching of concrete values, a single name is used to represent them all. When the received values are 
used in conditional constructions (e.g. if-then-else) or as communication channels, we do not know their 

B. Klin, P. Sobocinski (Eds.): 

6th Workshop on Structural Operational Semantics (SOS'09) 




18 



A Fully Abstract Symbolic Semantics for Psi-Calculi 



precise value, but need to record the constraints which must be satisfied for a resulting transition to be 
valid. 

A (non-symbolic) psi-calculus transition has the form W o P — > P' , with the intuition that P can 
perform a leading to P' in an environment that asserts x ¥. For example, if P can do an a to P' then 
case prime(x) : P can make an a-transition to P' if we can deduce prime(;t) from the environment, e.g. 

{x = 3} D> case prime(x) : P — > P' . 

In the symbolic semantics where we may not have the precise value of x, we instead decorate the transi- 
tion with its requirement, so 

*P [> case prime (x) : P > P' (for any *P) 

CA{J¥hprime(jt)[} 

where C is the requirement for P to do an a to P' in the environment *P. Constraints also arise from 
communication between parallel agents, where, in the symbolic case, the precise channels may not be 
known; instead we allow communication over symbolic representations of channels and record the re- 
quirement in a transition constraint. As an example consider a(x) .a{y) . (xx.P \ y(z) -Q) which after 
its initial inputs only has symbolic values of x and y. The resulting agent has the symbolic transition 
xx.P I y(z) ■ Q > P I Q[z := x] where x o y means that x and y represent the same channel, but 

might not have a x transition in the non-symbolic semantics. 

Communication channels in psi-calculi may be structured data terms, not only names. This leads 
to a new source of possibly infinite branching: a subject in a prefix may be rewritten to another equiv- 
alent term before it is used in a transition. E.g., when first(jc,;y) and x represent the same channel, 

P = i\rst(a,b)c.P' P', but also P first(a ' c)c ) P', etc. The possibility of using structured channels gives 
significant expressive power (see |5 |). Our symbolic semantics abstracts the equivalent forms of chan- 
nel subject by using a fresh name as subject, and adds a suitable constraint to the transition label (see 
Section [3). 

1.1 Comparison to related work 

Symbolic bisimulations for process calculi have a long history. Our work is to a large extent based on the 
pioneering work by Hennessy and Lin ifTTl for value -passing CCS, later specialised for the pi-calculus 
by Boreale and De Nicola [9 ] and independently by Lin lTT~8l IT9 1 . While IfTTl is parameterised by general 
boolean expressions on an underlying data signature it does not handle names and mobility; on the other 
hand ||9l [18j [191 handle only names and no other data structures. The number of (direct or indirect) 
follow-up works to these is huge, with applications ranging from pi-calculus to constraint programming; 
here we focus on the relation to the ones for applied pi-calculus and spi-calculus. 

The existing tools for calculi based on the applied pi-calculus (e.g. UJI7JI81), are not fully abstract wrt 
bisimulation. A symbolic semantics and bisimulation for applied pi-calculus has been defined in 031, 
but it is not complete. Additionally, the labelled (non-symbolic) bisimulation of applied pi-calculus is not 
compositional (see [5]). The situation for the spi-calculus is better: fully abstract symbolic bisimulation 
for hedged bisimulation has been defined in |[T0l . and for open hedged bisimulation (a finer equivalence) 
in lfT3l . According to those authors, neither is directly mechanizable. The only symbolic bisimulation 
which to our knowledge has been implemented in a tool is not fully abstract IfTTl . 

It can be argued [11] that incompleteness is not a problem when verifying authentication and secrecy 
properties of security protocols, which appears to have been the main application of the applied pi- 
calculus so far. When going beyond security analysis we claim (based on experience from the Mobility 
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Workbench Il22l ) that completeness is very important: when analysing agents with huge state spaces, 
a positive result (the agents are equivalent) may be more difficult to achieve than a negative result (the 
agents differ). However, such a negative result can only be trusted if the analysis is fully abstract. 

Our symbolic semantics is relatively simple, compared to the ones presented for applied pi-calculus 
or spi-calculus. In relation to the former, we are helped significantly by the absence of structural equiv- 
alence rules, which in applied pi-calculus are rather complex. In lTT5ll an intermediate semantics is used 
to overcome the complexity. In contrast we can directly relate the original and symbolic semantics. In 
relation to the symbolic semantics for spi-calculus, our semantics has a straight-forward treatment of 
scope opening due to the simpler psi-calculi semantics. In addition, the complexities of spi-calculus 
bisimulations are necessarily inherited by the symbolic semantics, introducing e.g. explicit environment 
knowledge representations with timestamps on messages and variables. In psi-calculi, bisimulation is 
much simpler and the symbolic counterpart is not significantly more complex than the one for value- 
passing CCS. 

In the light of these complications, the relevance of precise encodings of the applied pi-calculus or 
spi-calculus as psi-calculi, or comparing the resulting bisimulation equivalences is questionable. Our 
interest is in handling and analysing the same type of applications, and also the more advanced kinds of 
applications mentioned in the beginning of this section. 

Disposition. In the next section we review the basic definitions of syntax, semantics, and bisimulation 
of psi-calculi. Section[3]presents the symbolic semantics and bisimulation, while Section|4]illustrates the 
concrete and symbolic transitions and bisimulations by examples. In Section[5]we show our main results: 
the correspondence between concrete and symbolic transitions and bisimulations. Section [6] concludes, 
and presents plans and ideas for future work. 

2 Psi-calculi 

This section is a brief recapitulation of psi-calculi and nominal data types; for a more extensive treatment 
including motivations and examples see 0. 

2.1 Nominal data types 

We assume a countably infinite set of atomic names j¥ ranged over by a,b, . . . ,x,y,z. Intuitively, names 
will represent the symbols that can be statically scoped, and also represent symbols acting as variables in 
the sense that they can be subjected to substitution. A nominal set l20l[T6l is a set equipped with name 
swapping functions written (a b), for any names a,b. An intuition is that for any member X it holds that 
(a b) X is X with a replaced by b and b replaced by a. One main point of this is that even though we have 
not defined any particular syntax we can define what it means for a name to "occur" in an element: it is 
simply that it can be affected by swappings. The names occurring in this way in an element X constitute 
the support of X, written n(X). 

We write a#X, pronounced "a is fresh for X", for a n(X). If A is a set of names we write A#X to 
mean Va G A . a#X. We require all elements to have finite support, i.e., n(X) is finite for all X. 

A function / on nominal sets is equivariant if (a b) • f(X) = f((a b) -X) holds for all X,a,b, and 
similarly for functions and relations of any arity. Intuitively, this means that all names are treated equally. 

A nominal data type is just a nominal set together with a set of functions on it. In particular we 
require a substitution function (61, which intuitively substitutes elements for names. If X is an element of 
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a data type, d is a sequence of names without duplicates and Y is an equally long sequence of elements, 
the substitution X[d := Y] is an element of the same data type as X. 

2.2 Agents 

A psi-calculus is defined by instantiating three nominal data types and four operators: 

Definition 1 (Psi-calculus parameters). A psi-calculus requires the three (not necessarily disjoint) nom- 
inal data types: 



The binary functions above will be written in infix. Thus, if M and N are terms then M -H- N is a 
condition, pronounced "M and N are channel equivalent" and if *P and *P' are assertions then so is WgW. 
Also we write ¥ h <p, 11V P entails <p", for (¥, <p) G h 

The data terms are used to represent all kinds of data, including communication channels. Conditions 
are used as guards in agents, and M f> iV is a particular condition saying that M and N represent the 
same channel. The assertions will be used to declare information necessary to resolve the conditions. 
Assertions can be contained in agents and thus represent information postulated by that agent; they can 
contain names and thereby be syntactically scoped and thus represent information known only to the 
agents within that scope. The intuition of entailment is that *P h cp means that given the information in 
x ¥, it is possible to infer (p. We say that two assertions are equivalent if they entail the same conditions: 

Definition 2 (Assertion equivalence). Two assertions are equivalent, written *F ~ 1", if for all (p we have 
that ¥ h <p & »F h q>. 

A psi-calculus is formed by instantiating the nominal data types and morphisms so that the following 
requisites are satisfied: 

Definition 3 (Requisites on valid psi-calculus parameters). 



T the ( data) terms, ranged over by M,N 
C the conditions, ranged over by <p 
A the assertions, ranged over by *P 



and the four equivariant operators: 



e:TxT^C 
: A x A ->■ A 
1:A 

HCAxC 



Channel Equivalence 

Composition 

Unit 

Entailment 



Channel Symmetry: 
Channel Transitivity. 



Weakening: 




Composition: 
Identity: 
Associativity: 
Commutativity: 
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Our requisites on a psi-calculus are that the channel equivalence is a partial equivalence relation, 
that (g) preserves equivalence, and that the equivalence classes of assertions form an abelian monoid. We 
do not require that channel equivalence is reflexive. There may be terms M such that M o M does not 
hold. By transitivity and symmetry then M o N holds for no N, which means that M cannot be used as 
a channel at all. In this way we accommodate data structures which cannot be used as channels. The 
requisite of weakening (which is not present in Q) excludes some non-monotonic logics; it simplifies 
our proofs in the present paper although we do not know if it is absolutely necessary. It is only used in 



one place in the proof of Theorem 20 



In the following d means a finite (possibly empty) sequence of names, ai,... ,a n . The empty se- 
quence is written e and the concatenation of a and b is written ab. When occurring as an operand of 
a set operator, a means the corresponding set of names {a\, . . . ,£?„}. We also use sequences of terms, 
conditions, assertions etc. in the same way. 

A frame can intuitively be thought of as an assertion with local names: 

Definition 4 (Frame). A frame F is of the form (vb)^ where b is a sequence of names considered bound 
in the assertion *P. We use F, G to range over frames. Q 

Name swapping on a frame F = (vb)^ just distributes to its two components. We identify alpha 
equivalent frames, so n(F) = n(*F) — n{b). We overload 1 to also mean the least informative frame 
(ve)l and ® to mean composition on frames defined by (vbi) x ¥\®(vb2) x i'2 = (vbibz^i&^z where 
b\ # b%^l% and vice versa. We write (vc)((vb) x ¥) for (vcb)^, and when there is no risk of confusing a 
frame with an assertion we write *F for (v£)*F. 

Definition 5 (Equivalence of frames). We define F h q> to mean that there exists an alpha variant (vb)^ 
ofF such that b#(p and *F h (p. We also define F ~ G to mean that for all <p it holds that F h (p iffG h (p. 

Intuitively a condition is entailed by a frame if it is entailed by the assertion and does not contain any 
names bound by the frame. Two frames are equivalent if they entail the same conditions. 

Definition 6 (Psi-calculus agents). Given valid psi-calculus parameters as in Definitions [7] and [i] the 

psi-calculus agents, ranged over by P,Q, - ■ ., are of the following forms. 

MN.P Output 

M(x).P Input 

case <pi : Pi []•••[] (p„ : P n Case 

(va)P Restriction 

P | Q Parallel 

IP Replication 

Assertion 



In the Input M(x).P, x binds its occurrences in P. Restriction binds a in P. An assertion is guarded if it 
is a subterm of an Input or Output. In a replication \P there may be no unguarded assertions in P. 

In the Output and Input forms M is called the subject and ,/V and x the objects, respectively. Output 
and Input are similar to those in the pi-calculus, but arbitrary terms can function as both subjects and 
objects. Note that differently from J5J, for simplicity the input is not pattern matching (see Section[6]for 

'in some presentations frames have been written just as pairs (b^). The notation in this paper better conveys the idea that 
the names bind into the assertion, at the slight risk of confusing frames with agents. Formally, we establish frames and agents 
as separate types, although a valid intuition is to regard a frame as a special kind of agent, containg only scoping and assertions. 
This is the view taken in j2). 
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a discussion). The case construct works by performing the action of any P, for which the corresponding 
(Pi is true. So it embodies both an if (if there is only one branch) and an internal nondeterministic choice 
(if the conditions are overlapping). 

Some notational conventions: We define the agent as (jl[). The construct case <pi : Pi \\ ■ ■ ■ \\ % : P n 
is sometimes written as case (p : P, or if n = 1 as if q>\ then Pi. The input subject is underlined to facilitate 
parsing of complicated expressions; in simple cases we often conform to a more traditional notation and 
omit the underline. 

Formally, we define name swapping on agents by distributing it over all constructors, and substitution 
on agents by distributing it and avoiding captures by binders through alpha-conversion in the usual way. 
We identify alpha-equivalent agents; in that way we get a nominal data type of agents where the support 
n(P) of P is the union of the supports of the components of P, removing the names bound by Input and 
V, and corresponds to the names with a free occurrence in P. 

Definition 7 (Frame of an agent). The frame J^(P) of an agent P is defined inductively as follows: 

,^{M(x).P) = 3?(MN.P) = 

J^(case<p:P) = ^(!P) = l 
jF(fF}) = (ve)¥ 
&{P | Q) = &{P) ® &\Q) 
&\{yb)P) = (vb)^(P) 

2.3 Operational semantics 

The presentation of psi-calculi in [5 ] gives a semantics of an early kind, where input actions are of kind 
MN. Here we give an operational semantics of the late kind, meaning that the labels of input transitions 
contain variables for the object to be received. With this kind of semantics it is easier to establish a 
relation to the symbolic semantics. We also establish precisely how it relates to the original. 
Definition 8 (Actions). The actions ranged over by a,j8 are of the following three kinds: M(vd)N 
(Output), M_(x) (Input), and X (Silent). 

For actions we refer to M as the subject and N and x as the objects. We let subj(M (vd)N) = 
subj(M(.x)) = M. We define bn(M (va)N) = a, bn(M(.x)) = {x}, and bn(f) = 0. We also define n(r) = 
and n(a) = n(N) Un(M) if a is an output or input. As in the pi-calculus, the output M(va)N represents 
an action sending ,/V along M and opening the scopes of the names a. Note in particular that the support 
of this action includes a. Thus M (va)a and M (vb)b are different actions. 

Definition 9 (Transitions). A transition is of the kindm > P P', meaning that when the environment 
contains the assertion *P the agent P can do an a to become P'. The transitions are defined inductively 
in Table\l\ 

Note that *F in Table [T]expresses the effect that the environment has on the agent, by enabling condi- 
tions in Case, by giving rise to action subjects in In and Out and by enabling interactions in COM. 

Both agents and frames are identified by alpha equivalence. This means that we can choose the bound 
names fresh in the premise of a rule. In a transition the names in bn(a) count as binding into both the 
action object and the derivative, and transitions are identified up to alpha equivalence. This means that 
the bound names can be chosen fresh, substituting each occurrence in both the object and the derivative. 
This is the reason why bn(a) is in the support of the output action: otherwise it could be alpha-converted 
in the action alone. 

Table [2] gives the rules for input and communication of an early kind used in [5]. The following 
lemma clarifies the relation between the two semantics: 
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»P h M A A" »P h M A A" »P > P, A P' »P h <p ; - 

In — Out = Case 



¥>M(4P^P ^>MN.P^P »P > case <p : P A- P' 

*P ®»P > P M(v5)jV > P' ^p®* > G ^> <2' ^(gi^ptgi^o hMAX 
Com — a#Q 

V>P\Q A (v2)(P , |e , [^:=A r ]) 

^o«)^ >pAp' »p > p A p' 

Par — bn(a)#Q Scope b#a, x i> 

»P > P\Q A P'|G »P > (vfe)P A (v^)P' 

1T( n M(VO)N „/ it< r> I I r> n/ 

¥>P ; > P b#a,¥,M „ *P>P|!P^P' 
Open _, - — , ,' , Rep 



»P > (vfc)P tf(wuW)iV ; P' foGn W »P>!P A P' 

Table 1: Late operational semantics. Symmetric versions of COM and Par are elided. In the rule COM 
we assume that &{P) = (v6p)*Pp and &{Q) = (v6 G )*P e where b P is fresh for all of *P,6 e ,<2,M and 
P, and that ftg is correspondingly fresh. In the rule Par we assume that J^~(<2) = (vftg)*^ where bQ is 
fresh for *P,P and a. In Open the expression a U {b} means the sequence a with b inserted anywhere. 



»P®*Pp<g>*P e hMff^ 

In Com — a#Q 

»P > M(x).P ^ P[x :=N] »P>P|e A (vo)(P' 1 2') 

Table 2: Early structured operational semantics. All other rules are as in the late semantics of Fig. [T] 

Lemma 10. 

1. *P D> P Q in the early semantics iff there exist Q' and x such that *P D> P —^ x \ Q 1 in the late 
semantics, where Q = Q'[x := N]. 

(X 

2. For output and z actions, *P > P — > Q in the early semantics iff the same transition can be 
derived in the early semantics. 

The proof is by induction over the transition derivations. In the proof of ([2]), the case a = z needs 
both ([T]) and the case where a is an output. 

2.4 Bisimulation 

We proceed to define early bisimulation with the late semantics: 

Definition 11 ((Early) Bisimulation). A bisimulation M is a ternary relation between assertions and 
pairs of agents such that ^(*P,P, Q) implies all of 

1. Static equivalence: *P<g> ^(P) ~ *P<g> J^g) 
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2. Symmetry: M(*¥,Q,P) 

3. Extension of arbitrary assertion: \AF'. M^V&V 1 ,P, Q) 

4. Simulation: for all a, P' such that bn(a)#*P, Q 

(a) if a = M(x): ¥ > P A P' => 

\JL3Q' . X ¥>Q A andM{^>,P'[x:=L],Q'[x:=L]). 

(b) otherwise: ¥ > P A P' 3Q' . ¥ > 2 A Q' awd Sii^V ,P' , Q'). 

We define P ^ Q to mean that there exists a bisimulation & such that &(1,P, Q). We also define P ~ Q 
to mean that P[x := L] ~ Q[x:= L] for all x,L. 

The relation between this definition and the original definition of bisimulation in [ 5 ] is clarified by 
the following: 



Lemma 12. For the psi-calculi in the present paper, a relation is a bisimulation according to Def. 11 
precisely if it is a bisimulation according to /|5]/. 

The proof is straightforward using Lemma 10 As a corollary the algebraic properties of ~ estab- 
lished in hold, notably that it is a congruence. 



3 Symbolic semantics and equivalence 

The idea behind a symbolic semantics is to reduce the state space of agents. One standard way is to avoid 
infinite branching in inputs by using a fresh name to represent whatever was received. 

In psi-calculi there is an additional source of infinite branching: a subject in a prefix may get rewritten 
to many terms. Also here we use a fresh name to represent these terms. This means that the symbolic 
actions are the same as the concrete actions with the exception that only names are used as subjects. 

A symbolic transition is of form 

¥ > p A p 1 

c 

The intuition is that this represents a set of concrete transitions, namely those that satisfy the constraint C. 
Before the formal definitions we here briefly explain the rationale. Consider a psi-calculus with integers 
and integer equations; for example a condition can be "x = 3". An example agent is P = case x = 3 : P'. 
If P' —A P" , where true is a constraint that is always true, then there should clearly be a transition 

true 

P A P" for some constraint C that captures that x must be 3. One context that can make this constraint 

true is an input, as in a(x).P. The input will give rise to a substitution for x, and if the substitution sends 
x to 3 the constraint is satisfied. In this way the constraints are similar to those for the pi-calculus ll9l[T8ll. 
In psi-calculi there is an additional way that a context can enable the transition: it can contain an assertion 

as in := 3[) | P. Concretely this agent has a transition flx := 3|) \ P — > <\x :=3\j\P" since x := 3 h x = 3. 
Therefore a solution of a constraint will contain both a substitution of terms for names (representing the 
effect of an input) and an assertion (representing the effect of a parallel component). 
Definition 13. The atomic constraints are of the form (v5){] v F h <p|| where a are binding occurrences 
into *F and (p. A solution of an atomic constraint is a pair (<7,*P') where O is a substitution of terms for 
names such that a#a,*F' and ^O&V 1 h (po~. We adopt the notation (cj,*P) \=C to say that is a 

solution ofC, and write sol (C) for {(<7,*P) : (cj,*P) |= C}. 

The transition constraints are the atomic constraints C and conjunctions of atomic constraints C AC', 
where the solutions are the intersection of the solutions for C and C and we let (v5)(CAC) mean 
(v5)CA (v2)C. 



Magnus Johansson, Bjorn Victor, Joachim Parrow 



25 



IN y#v,M,p, x CASE 



X ¥>P A P 1 



¥ > M(jc).P — — — ► P »P > case q> : P > P f 

Out y#m,M,N,P 

*F > MN.P > P 

WPq > P - y(va)JV > P' ^&^ P > G —3 — — ► Q' a#Q, 

(vfc P ){|1"|-JWp^|}ACi> (vfo £) )fl>i"hM ! 2^4AC e y# z 

^ >P \Q-— - ^ (vS)(p'|!2'[x:=AmI) ^ = ^/^e 

(vfo P ,& e )fl1"hM P f7M e [j-AC/»AC e 

WP e > F ^> F- ta(a)#e ^F^F' 
PA %,>F| e ^F^ SC ° P % Mv( , )p ^ (vfl)p , ° # °^ 

(vfo e )C (Vfl)C 

C ae nJV X ¥>P\\P -> P' 

Open ~ c 

, x„ yfvaUaW . a#a, l I , ,y REP 

»P>(va)P- ^ P' 7 »P>tp A P' 

(va)C ' c 



Table 3: Transition rales for the symbolic semantics. Symmetric versions of COM and Par are elided. 
In the rale COM we assume that &{P) = (vbpfVp and &{Q) = (vfcg)^ where b P is fresh for all of 
*P,&2, Q andP, and that Z?g is correspondingly fresh. We also assume that y,z#*P, bp, P,bQ, Q,N,bp,bQ,a. 
In the rule Par we assume that JP(Q) = (v&q)*Pq where Z?q is fresh for *F,P and a. In Open the 
expression a U {a} means the sequence a with a inserted anywhere. 



A transition constraint C defines a set of solutions sol(C), namely those where the entailment be- 
comes true by applying the substitution and adding the assertion. For example, the transition constraint 
-fll h x = 3|} has solutions ([x := 3], 1) and (Id, x = 3), where Id is the identity substitution. 

The structured operational symbolic semantics is defined in Table [3] First consider the Out rule: 

— yN 

*P t> MN.P > P. The symbolic subject y must be chosen fresh and has a constraint associated 

with it: the transition can be taken in any solution that implies that the subject M of the syntactic prefix 
is channel equivalent to y. 

The rule COM is of particular interest. The intuition is that the symbolic action subjects are place- 
holders for the values Mp and Mq. In the conclusion the constraint is that these are channel equivalent, 
while y and z will not occur again. 

We will often write P -H> P' for 1 > P A P' . 

c c 
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3.1 Symbolic bisimulation 

In order to define a symbolic bisimulation we need additional kinds of constraints. If a process P does a 
bound output y (vd)N that is matched by a bound output y (vd)N' from Q we need constraints that keep 
track of the fact that N and N' should be syntactically the same, and that a is sufficiently fresh. 
Definition 14. The constraints include the transition constraints, \M = N\, and -{]a#X|}, where X is 
any nominal data type. The solutions of the last two are all pairs (W, a) such that Mo = No and 
a#(Xo) respectively. We also include conjunction of constraints C AC', where the set of solutions is the 
intersection of the solutions for C and C'. 

Note that the assertion part of the solution is irrelevant for constraints of kind \M = N§ and -{]a#X|}, 
and that the substitution does not affect a in {]a#X|}. The constraint \M = N§ is used in the bisimulation 
for matching output objects, and {|a#X|} is used in the bisimulation for recording what an opened name 
must be fresh for. This corresponds to distinctions in open bisimulation for the pi-calculus [21]. We 
define true to be {Af = M\, we write {]a#X, F[} for Ha#X[[ A {|a#F|}, and we extend the notation to sets 
of names, e.g. {]a#X|}. 

Definition 15 (Constraint implication). A constraint C implies another constraint D, written C => D, 
iff sol(C) C sol(D). We write C =>• \JC iff for each (<7,*F) G sol(C) there exists a C G C such that 
(cr,^) € sol(C'). 

Before we can give the definition of symbolic bisimulation we need to define a symbolic variant of 
the concrete static equivalence. 

Definition 16 (Symbolic static equivalence). Two processes P and Q are statically equivalent for C, 
written P ~ c Q, if far each (cj,*P) G sol(C) we have that x ¥®^(P)o ~ ^®^(Q)o. 

We now have everything we need to define symbolic bisimulation. This definition follows the defi- 
nition in iTTTl closely. 

Definition 17 ((Early) Symbolic bisimulation). A symbolic bisimulation 5? is a ternary relation between 
constraints and pairs of agents such that 5^{C,P, Q) implies all of 

1. P ~ c Q, and 

2. y(C,Q,P),and 

3. If P —t P', bn(a)#(P,2,C,Cp,subj(a)) and subj(a)#(P, Q,C) then there exists a set of con- 

Cp 

straints C such that C A Cp => V C 
and for all C' G C there exists Q', a', and Cq such that 
a' 

(a) Q — > Q', and 

c Q 

(b) C => Cq, and 

(c) ifa=y (va)N then a' = y {vd)N', C => {N = N% 
and (C A \d#P, Q$,P', Q') G 3? 

otherwise a = a' and (C',P', Q') G 

We write P ~ A Q if (true,P, Q) G 5? for some symbolic bisimulation 5^ , and say that P is symbolically 
bisimilar to Q. 

The set C allows a case analysis on the constraint solutions, as examplified in the next section. The 
output objects need to be equal in a solution to C' . Since the solutions of \N = N'\j only depend on 
the substitutions, this constraint corresponds to the fact that the objects must be identical in the con- 
crete bisimulation. Note that bn(a) may occur in C. Based on (9l [HI, we conjecture that adding the 
requirement bn(a)#C would give late symbolic bisimulation. 



Magnus Johansson, Bjorn Victor, Joachim Parrow 



27 



4 Examples 

We now look at a few examples to illustrate the concrete and symbolic transitions and bisimulations. 
First consider a simple example from the pi-calculus. This can be expressed as a psi-calculus: let the 
only data terms be names, the only assertion be 1, the conditions be equality and inequality tests on 
names, and entailment defined by Va.l h a = a, \/a,b : a ^ b.l h a ^ b and Va.l h a o a. For a more 
thorough discussion, see (H. In the following examples we drop a trailing .0. Consider the two agents 
Pi and <2i: 

Pi = a(x).,P 1 / where P[ = ab .ab 

Qi = a(x).Q\ where Q\ = (case x = b : ab .ab \\ x^b: ab.ab) 
These are bisimilar. A concrete bisimulation between these agents is 

{(l,A,fii)}U |J {(l,^,Gi[r:=n]}U{(l,aM*)} 

The bisimulation needs to be infinite because of the infinite branching in the input. In contrast, a symbolic 
bisimulation only contains four triples: 

{(true,A,£i), (true^.fii), ({1 h x = b},ab,ab), ({l\-x^b},ab,ab)} 

When checking the second triple (true,P[, Q\), the transition of P[ is matched by a case analysis: 



C in the definition of symbolic bisimulation (Def. 17) is {{]ll-x = Z?[}-,{]ll-X7^&[}}, and a matching 



transition for Q[ can be found for each of these cases, so the agents are bisimilar. In contrast, they are 
not equivalent in the incomplete symbolic bisimulations in [ 1 1 ] and |fT5Tl . 

Next we look at an example where we have tuples of channels and projection, e.g. the entailment 
relation gives us that 1 h first(M,iV) A M. Consider the agent 

R = MN.R' 

Concretely this agent has infinitely many transitions even in an empty frame: R R', and equivalent 
actions first(M,X")A^ for all K, and first(first(M,L),Z)7Y for all L and K, etc. Symbolically, however, it 

has only one transition: R — — — > R 1 . 

For another example, consider the two agents 

P 2 =FN.P' Q 2 =0 

where F is a term such that for no *F,M does it hold that f hFf>M, i.e., F is not a channel. Then we 

have that P 2 and Q 2 are concretely bisimilar since neither one of them has a transition. But symbolically 

JN 

P 2 has the transition P 2 — > P , while Q 2 has no symbolic transition. Perhaps surprisingly they 



are still symbolically bisimilar: Def. 17 requires that we find a disjunction C such that C ACp \JC, 
or in this case such that true A-fllh F =>\/C. Since F is not channel equivalent to anything, the 
left hand side has no solutions, which means that any set C will do, and in particular the empty one. 
The condition "for all C' G C" in the definition becomes trivially true, so Q 2 does not have to mimic the 
transition. 

A final example shows the use of cryptographic primitives. Here the terms contains enc(M,k) and 
dec(M,k), assertions are variable assignments, e.g. x := M, the conditions are equality tests between 
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terms, and the entailment relation is parametrised by an equation system which contains the equation 
dec(enc(M,k),k) =M. Consider 

P3 = (va,k) ((|x := enc(a,&)D | b(z) -bk. (case z = a: cd)) 
Q 3 = (va,k) (§x := enc(a,fc)[) | b(z) .bk) 

Here the environment can use x, the result of encrypting a with k, but not the bound a or k. Intuitively 
these agents are bisimilar since the key k is not revealed until after the agents receive z, which therefore 
cannot be equal to a. The first symbolic transitions of the agents are 

P3 — > (va,k)(ftx:=enc(a,k)\) I bk. (case z = a :cd)) = Pn 

Q 3 — > (va,k)(<\x:=enc(a,k)\) \ bk) = Q' 

and the second transitions are 

p, /(yW y (va){<\x := enc(a,k)\) | (case z = a: cd)) = P% 

(va,i){]lhfooy'[[ 

y>(vk)k > (vfl)( ^. = enc( = g, 

A symbolic bisimulation, where we for simplicity ignore the constraints that arise for subjects, is 
{(true,P 3 ,e 3 ), (true,^,<2' 3 ), ({Wi^ 

Here the constraint HMP3, Q' 3 § will among other things imply that k#z. The final transition of P^ has the 
constraint (va)-{| 1 \~ z = a\, so we must find a disjunction C such that MP^jQ^ A (va){|l h z = a§ => C. 
Since t? is bound, the only way to find a solution to the left hand side is to find a value for z that evaluates 
to a. One candidate for a solution is ([z := dec(x,k)],l), but because of the constraint k#z this does not 
work. In fact, there is no solution to the left hand side because of the freshness constraint on k and the 
fact that a is bound. This means that, as in the previous example, any disjunction C will do, and in 
particular the empty disjunction, and trivially 2" does not have to mimic the transition. 

In contrast, if we swap the order of the inputs and the outputs in Pt, and Qt, and try to construct 
the bisimulation relation we will discover that we do not get the constraint k#z. This means that ([z := 
dec(x, k)] , 1) is a solution to C ACp in the definition of bisimulation, and that Q" must mimic the transition 
from P". In this case the agents are not bisimilar. 

5 Results 

We now turn to showing that the concrete and symbolic equivalences coincide. 

We define substitution on symbolic actions by TO = X, (y(x))a = yo(xo), and (y (vd)N)(7 = 
yo (vd)No, where x,d#a. We define the substitution a ■ [y := M] for y#o by (0 ■ \y := M])(x) = M 
if x = y, and a(x) otherwise. 

The following two lemmas show the operational correspondence between the symbolic semantics 
and the concrete semantics: given a symbolic transition where the transition constraint has a solution, 



there is always a corresponding concrete transition (Lemma 18 1 and vice versa (Lemma 19 1 
Lemma 18 (Correspondence symbolic-concrete). 
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1. IfP ^> P 1 then for all (a, G sol(C) s.t. x#G we have that V > Po (> ' W)g > P'a. 

2. //P y(v ^> P' ^en/or all G sol(C) s.t a#a we fcave ^af »P > Pa (y(v5)jV)g ) P'a. 
J. IfP 4 P' ^era/or a// (a,¥) E sol(C) we /zave ffaz* »F > Pa P'a. 



Lemma 19 (Correspondence concrete-symbolic). 

M 

7 — 



i. If^ > Pa -=^» P'a, y#P, a,M,N,x, and x#a,P fften f/iere existo &,Mp, arcJ Cp swc/j f/iaf 



> P / and(ff-[y:=M] ) , P) Gsol((vfe){ , Ppr-Afp^y|}AC/»). 
2. If x ¥>Po M( - v "> Na > p' a y#P,a,M,a, and a#G,P then there exists b,M P , Cp such that 



(vb)^ P \-M P i^y}AC P 

5 a — - 

y(va)N 



(vb)§¥p\-Mp4>y\f\Ci 



> P'am/(a [y:=M], , P) G sol((vft)-{] x Pp h M P A AC P ). 



p 



5. /f^F [> Pa P'a ?/zer<? exists C such that P A P' and (a,*F) G sol(C). 

Wfe assume in 1 and 2 that J£~(P) = (bp , *Pp) and bpjbtty,^ ,G,P. 

The proofs are by induction over the transition derivation (one case for each rule). 

Theorem 20 (Soundness). Assume 5? is a symbolic bisimulation and let 

M = ,Pg,Qg) : 3C.(g,W) |= C and (C,P, Q) G ,y}. Then £% is a concrete bisimulation. 

The proof idea to show that M is a concrete bisimulation is to assume (*P,Pa, Qg) G M and that Pa 
has a transition in environment *P. We use Lemma [19] to find a symbolic transition from P, then the fact 



that y is a symbolic bisimulation to find a simulating symbolic transition from Q, and finally Lemma 1 8 
to find the required concrete transitions from Qg. 



Similarly to lUTl we need an extra assumption about the expressiveness of constraints: for all 
&,P,Q such that £$ is a concrete bisimulation there exists a constraint C such that a) |= C <J=^ 
(*P,Pa,2a) G In order to determine symbolic bisimilarity in an efficient way we need to compute 
this constraint, which is easy for the pi-calculus flU [TBI [HI and harder (but in many practical cases 
possible) for cryptographic signatures iflOl . These results suggest that our constraints are sufficiently ex- 
pressive, but for other instances of psi-calculi we may have to extend the constraint language. We leave 
this as an area of further research. 

Theorem 21 (Completeness). Assume that Si is a concrete bisimulation and let 

5? = {(C,P, Q) : (°') < J') l = C implies (*P,PcJ, Qg) G M}. Then y is a symbolic bisimulation. 



The proof idea is the converse of the proof for Theorem 20 The expressiveness assumption of 
constraints mentioned above is needed in order to construct the disjunction of constraints in the symbolic 
bisimulation. From these two theorems we get: 

Corollary 22 (Full abstraction). P ~ Q if and only ifP ~ s Q. 



6 Conclusion and Future Work 



We have defined a symbolic operational semantics for psi-calculi and a symbolic bisimulation which is 
fully abstract wrt the original semantics. While the developments in m give meta-theory for a wide 
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range of calculi of mobile processes with nominal data and logic, the work presented in this paper gives 
a solid foundation for automated tools for the analysis of such calculi. 

As mentioned in the introduction, the purity of the original semantics of psi-calculi has made the 
symbolic semantics easier to develop. There are no structural equivalence rules (which are a compli- 
cation in applied pi-calculus), the scope opening rule is because of this straight-forward which makes 
knowledge representation simpler than in spi-calculi, and the bisimulation less complex. Nevertheless, 
the technical challenges have not been absent: the precise design of the constraints and their solution has 
been delicate. Since assertions may occur under a prefix, the environment can change after a transition. 
Keeping the assertion *P in the transition constraints (on the form (va){| v P' h <p|}) essentially keeps a 
snapshot of the environment that gives rise to the transition. An alternative would be to use time stamps 
to keep track of which environment made which condition true, but that approach seems more difficult. 

Our symbolic bisimulation is a strong equivalence which does not abstract the internal T transitions. 
This is less useful for verification than a weak observational equivalence, but still a significant step 
towards mechanized verification. We are currently developing a weak bisimulation for psi-calculi, and 
are studying the correspondence to a barbed bisimulation congruence. Preliminary results indicate that 
lifting the symbolic bisimulation presented here to weak bisimulation will be unproblematic. 

The original psi-calculi admit pattern matching in inputs. In a symbolic semantics this would lead 
to complications in the COM-rule, which should introduce a substitution for the names bound in the 
pattern. This means introducing more fresh names and constraints, and it is not clear that the convenience 
of pattern matching outweighs such an awkward semantic rule. We leave this as an area for further study. 

For future work, we need to develop an algorithm for deciding symbolic bisimulation and implement 
it in a tool. A natural basis for this would be the algorithm given in 1 17|. Furthermore, the termination of 
the algorithm will depend on the properties of the parameters of the particular psi-calculus: it is easy to 
construct a psi-calculus where the entailment relation or static equivalence is not decidable, but in many 
practical cases it will be |[T0l l4l. We intend to use constraint solvers developed for specific application 
domains (e.g. security) in a future generic tool. We will also produce mechanized proofs of the adequacy 
of the symbolic semantics, using the Isabelle theorem prover. 

When typing schemes have been developed for psi-calculi, a natural progression would be to take 
advantage of those also in the symbolic semantics, to further constrain the possible values and thus the 
size of state spaces. 
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